My mind feels like it has a rabid squirrel in it

10 posts / 0 new
Last post
#1 Tue, 07/22/2008 - 19:21
velvetpixel

My mind feels like it has a rabid squirrel in it

I have been trying to get my DNS records right and mail server (postfix) configured correctly so receiving remote mail servers (yahoo, hotmail, msn) are happy and don't block me and I just can't get it right.

I know previously I had asked questions about running separate postfix instances for domains with dedicated IPs but I am no longer trying to do that and my setup is default virtualmin pro setup.

The issues I am running into when doing tests at DNS Colos are:

Legend. vps.example.net = server 74.63.2.190 = IP of the server example.org = regular virtual host domain example.com = Dedicated IP virtual host domain 74.63.2.190 = IP of dedicated IP virtual host domain

If it is a regular domain without a dedicated IP.

FAIL Mailserver connection test HELO, MAIL FROM, RCPT TO, QUIT

Connect to mailserver mail.example.org FAILED (could be greylisting) 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table

Here is what a regular virtual host domain DNS record looks like: $ttl 38400 @ IN SOA ns1.example.net. hostmaster.example.net. ( 2008062811 2H 1H 1W 20M ) @ IN NS ns1.example.net. @ IN NS ns2.example.net. example.org. IN A 74.63.2.190 www.example.org. IN A 74.63.2.190 ftp.example.org. IN A 74.63.2.190 localhost.example.org. IN A 127.0.0.1 mail.example.org. IN A 74.63.2.190 example.org. IN MX 5 mail.example.org. example.org. IN TXT "v=spf1 a mx a:example.org. ip4:74.63.2.190 -all"

If it is a domain with a dedicated IP it gets the fail above PLUS the fail below:

FAIL Mailserver greeting The server should have an A record which points to the mailserver for the hostname which is presented in the greeting

mail.example.com 220 vps.example.net ESMTP Postfix

Here is what a dedicated IP virtual host domain DNS record looks like:

$ttl 20M @ IN SOA ns1.example.net. hostmaster.example.net. ( 2008070315 2H 1H 1W 20M ) @ IN NS ns1.example.net. @ IN NS ns2.example.net. example.com. IN A 74.63.2.247 www.example.com. IN A 74.63.2.247 ftp.example.com. IN A 74.63.2.247 localhost.example.com. IN A 127.0.0.1 mail.example.com. IN A 74.63.2.247 example.com. IN MX 5 mail.example.com. example.com. IN TXT "v=spf1 a mx a:example.com ip4:74.63.2.247 ip4:74.63.2.190 -all"

Here is my postconf output: postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, vps.example.net newaliases_path = /usr/bin/newaliases.postfix qmgr_message_active_limit = 4000 readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual

Why am I getting the fails when checking my record?

What is the right way to configure the DNS record for a virtual host that has a dedicated IP as mail will not be coming from that IP but from the servers IP right? please help as my mind is almost gone! :)

Wed, 07/23/2008 - 04:23
ronald
ronald's picture

your dns setup looks okay to me and i can telnet your postfix, however:
Connect to mailserver mail.example.org FAILED (could be greylisting)
550 5.1.1 : Recipient address rejected: User unknown in virtual alias table

I think it means there is no entry in the /etc/postfix/virtual for that domain/user.
So I would first try to solve that and then look at the next issue if it persists

as for:
example.com. IN TXT "v=spf1 a mx a:example.com ip4:74.63.2.247 ip4:74.63.2.190 -all

I am not sure if having 2 IP's in there is correct?

and:
mail.example.com. IN A 74.63.2.247
should this not be 74.63.2.190 as postfix is running on the latter IP..?

Wed, 07/23/2008 - 16:46
Joe
Joe's picture

Everything looks fine from here, though without the actual zone name, I'm not able to do much testing.

Note that pretty much all of the DNS testing sites have some slightly odd requirements for "success" in some of their tests.

Hehehe...I just tested virtualmin.com, and they give us a FAILED mark on that test, as well. I think they're just making a mistake in their parsing. I <i>know</i> our HELO is sane. They probably only tested on Sendmail or qmail systems, and never tried it on a Postfix system. I dunno. I wouldn't worry about this particular test--when I connect to your system via telnet on 25 it looks fine.

--

Check out the forum guidelines!

Wed, 07/23/2008 - 17:57 (Reply to #3)
velvetpixel

Thanks guys!

After looking in my logs I see that the first test failed because they are checking for an info@example.tld mail address. Who knows why but I added an alias for one on the domain I was testing and the error went away.

The other mail server greeting I can't get to go away.

So just to be sure.
Is the mail. A record for a virtual host domain with a dedicated IP supposed to point to the dedicated IP or to the IP of the server?

mail.example.com. IN A 74.63.2.247 &lt;--IP of VHost
or
mail.example.com. IN A 74.63.2.190 &lt;--IP of server

Is the mx record for the virtual host domain supposed to point to it's own mail third level or is it supposed to point to the server?

example.org. IN MX 5 mail.example.org.
or
example.org. IN MX 5 vps.example.net.

If the A record is pointing to the server IP then won't that make an error regarding receiving mail servers that check RDNS as I have RDNS set by my host for my dedicated IP virtual host's IP to point to mail.example.com but the reverse is 74.63.2.247 (dedicated IP) not 74.63.2.190 (server IP) where the mail was actually sent from. Does that make sense?

Wed, 07/23/2008 - 22:50 (Reply to #4)
Joe
Joe's picture

<div class='quote'>Is the mail. A record for a virtual host domain with a dedicated IP supposed to point to the dedicated IP or to the IP of the server?</div>

Doesn't matter.

<div class='quote'>Is the mail. A record for a virtual host domain with a dedicated IP supposed to point to the dedicated IP or to the IP of the server?</div>

Doesn't matter.

<div class='quote'>If the A record is pointing to the server IP then won't that make an error regarding receiving mail servers that check RDNS as I have RDNS set by my host for my dedicated IP virtual host's IP to point to mail.example.com but the reverse is 74.63.2.247 (dedicated IP) not 74.63.2.190 (server IP) where the mail was actually sent from. Does that make sense?</div>

Again, doesn't matter.

What matters:

The IP (which will generally be the &quot;primary&quot; IP on your system) on which your outgoing mail is sent <i>must</i> have a PTR (reverse) record. I doesn't matter what it is...as long as the name it returns is also resolvable.

The hostname that Postfix thinks of itself as must match the IP it is sending out with (again the primary IP...and it's hard to avoid getting this right, unless you set my_origin or some other silly misconfiguration, because Postfix ordinarily picks it all up from the system and the hostname of the system). This will generally not be the &quot;mail.example.com&quot; address. And that's OK. It'll probably be vps.example.net. Again, that's great. As long as it resolves.

To put this into concrete perspective:

Virtualmin.com sends out mail with a HELO of virtualmin.com

The address Postfix connects from (70.86.4.226) reverse resolves to e2.4.5646.static.theplanet.com, which resolves back to 70.86.4.226

Notice that when I send out mail from doxfer.com (also hosted on this system and going through the same Postfix) it still has HELO virtualmin.com, and the 70.86.4.226 address. The receiving server doesn't care about that at all...it just needs to see that they all resolve to something. (I'm ignoring SPF, etc. for the sake of simplicity in this discussion, of course.)

--

Check out the forum guidelines!

Thu, 07/24/2008 - 00:29 (Reply to #5)
velvetpixel

Thanks for the info Joe.

Yeah my server IP has always had RDNS.

<div class='quote'>Doesn't matter.</div>
mail.example.com. IN A 74.63.2.247 &lt;--IP of VHost
May not matter but if it's set wrong will throw an error at the testing site so I will leave it where it makes the tests happy :)

The thing that made me start to question my setup in the first place is I am getting greylisting errors from yahoo. I was worried that it was something wrong with my setup due to the error at dnscolo but now I think the checker there is messed up!

I just wanted to make sure I had all my ducks in a row before submitting all my info in yahoo's submission application to help prevent greylisting or mail going to bulk.

So let me see if I get it yet :)
Receiving mail servers really never care what the dedicated IP of a virtual host is, don't care about RDNS for that virtual host's dedicated IP and they really don't care about anything in DNS for that domain (not counting SPF of course). All they care about is the IP of the servers mail server and that the RDNS for the server matches the IP for the mail server.

Did I get it right?

Thu, 07/24/2008 - 05:16 (Reply to #6)
ronald
ronald's picture

<div class='quote'>The thing that made me start to question my setup in the first place is I am getting greylisting errors from yahoo.</div>

if you are worried about yahoo's greylisting then don't worry too much.

for instance:
I send out a newsletter to 4600 subscribers of which appr. 1000 are yahoo accounts.
each of them end up in the postfix queue with some sort of &quot;not allowed&quot;, &quot;greylist&quot;, &quot;refused&quot; etc etc.

I also had some email conversation with yahoo cause I was worried too in the beginning, and in the end (after 2 or 3 days), they all go through. It apparently is a policy to not just accept and pass all the emails.

I do have a bounce@mydomain.com in place so all the emails that can not be delivered due to blocked, unused, mailbox full and non-existing accounts are returned to that email address and I can apply my bounce rules to have those emails blacklisted in my app. (phplist).

As a result they do not receive the newsletter anymore and that is a policy yahoo and others like to see.

Thu, 07/24/2008 - 11:00 (Reply to #7)
velvetpixel

Thanks Ronald!

It's good to know I am not the only one seeing greylisting.

Wed, 07/23/2008 - 21:01
cyrus

Do your results come out OK from <a href='http://www.intodns.com/' target='_blank'>intoDNS</a> and <a href='http://pingability.com/zoneinfo.jsp' target='_blank'>pingability</a>

Thu, 07/24/2008 - 00:01 (Reply to #9)
velvetpixel

<div class='quote'>Do your results come out OK from intoDNS and pingability</div>
I've been using intoDNS and don't have any fails or warns (except for my two ns not being on different subnets) but at pingability (which I hadn't used before) I get this error:

Warning The RDNS entry 247.2.63.74.in-addr.arpa (example.com./74.63.2.247) points to mail.example.com.. However mail.example.com. does not have an IP Address (A) record that matches this IP. Rather it has an IP Address of 74.63.2.190

That was when I had:
mail.example.com. IN A 74.63.2.190 &lt;--IP of server

When I changed it to:
mail.example.com. IN A 74.63.2.247 &lt;--IP of VHost

The error went away :)

Topic locked